Combofix found an infection

Yes it replaced an infected file with a good copy.

You should run these below procedures so that we can check for anything else.

READ & RUN ME FIRST - Malware Removal Guide

 

Impossible to say, all I know is that whatever it was infected a legitimate file, but that CF replaced it from a backup copy on your machine.



Re run Hitman and have it remove what it finds.


Delete this:

• C:\Users\HP\AppData\Local\Web Freer

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Now describe how the machine is running please.

 

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

 

Please run the below and attach the log.

Malwarebytes Anti-Rootkit - Running

 

What made you run Combofix in the first place? (Curious) Also...WHERE did you download your copy of Combofix from?

Run it again now and attach the resulting log. (But first... download a fresh copy from here http://majorgeeks.com/Combofix_d6402.html and let it overwrite the old. Reinstalling Windows is certainly an option, but would you not prefer that we tried here some more first?

 

Surf around a day or two and then come back and let me know how it's running.

 

I am not seeing any signs of a software keylogger. You can ask about hardware keyloggers in the hardware forum if you like. But otherwise, pop back here in a couple days.

Do not keep running combofix though, it's a double edged tool, and unfortunately can cause alot of damage in the wrong hands. When you post back here, I will probably have you run it then to see if it finds any more infected files.

 

Give Combofix another run. Attach the log.
Then I may have you run through the entire R&R again and also attach all of those requested logs. If I am NOT seeing any malware after that, and/or Combofix is no longer detecting infected files, then you will have to post in the software forum then about any non malware related subject.

 

never used a mac before in my life...

Mac vs PC

I don't know what is going on with your computer. I'm pretty sure it is not a rootkit. I am going to have a word with Chaslang, and get back to you with a response as soon as I can. Hang in there.

In the mean time, please run this online scan and see if it finds anything. It will probably take a while to run so go off and do something for a bit.


Run this and attach the results.

Using ESET's Online Scanner

 

How is the machine bahaving currently? ESET didn't find anything of great significance...

 

What is inside of this folder? Anything?

• C:\Windows\System32\%LOCALAPPDATA%

 

Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the area. Do not include the word Code.

Code:

:Files
c:\windows\system32\%LOCALAPPDATA%
C:\Program Files\Enigma Software Group
C:\fywa.odt

:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Run Combofix just one more time and attach the resulting log.
Also explain how things are running at this point.

 

For Windows 7 you do not have enough RAM installed for things to be "smooth sailing" You have 1GB available and that's the absolute minimum for this OS. You should have about 4GB in there. No wonder you are running so slowly.

You may want to take a look at this: http://windows.microsoft.com/en-GB/windows7/products/features/readyboost It might help whilst you wait for extra memory.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Press and hold the Windows key and then press the letter R on your keyboard. This opens the Run dialog box.
   • Copy and paste the below into the Run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
   • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore​
   • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
   • Then we want you to Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!